From: Anton Ivanov <[email protected]> 1. Split build_lswitch_input_port_sec into per-datapath and per-port iterators 2. Reuse common scratchpad in the per-port build 3. Migrate the two new functions to the converged build loops
Signed-off-by: Anton Ivanov <[email protected]> --- northd/ovn-northd.c | 102 +++++++++++++++++++++----------------------- 1 file changed, 49 insertions(+), 53 deletions(-) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index cbd18d9aa..bda83e106 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -4841,70 +4841,64 @@ has_stateful_acl(struct ovn_datapath *od) return false; } +/* Logical switch ingress table 0: Ingress port security - L2 + * (priority 50). + * Ingress table 1: Ingress port security - IP (priority 90 and 80) + * Ingress table 2: Ingress port security - ND (priority 90 and 80) + */ static void -build_lswitch_input_port_sec(struct hmap *ports, struct hmap *datapaths, - struct hmap *lflows) +build_lswitch_input_port_sec_op( + struct ovn_port *op, struct hmap *lflows, + struct ds *actions, struct ds *match) { - /* Logical switch ingress table 0: Ingress port security - L2 - * (priority 50). - * Ingress table 1: Ingress port security - IP (priority 90 and 80) - * Ingress table 2: Ingress port security - ND (priority 90 and 80) - */ - struct ds actions = DS_EMPTY_INITIALIZER; - struct ds match = DS_EMPTY_INITIALIZER; - struct ovn_port *op; - HMAP_FOR_EACH (op, key_node, ports) { - if (!op->nbsp) { - continue; - } + if (!op->nbsp) { + return; + } - if (!lsp_is_enabled(op->nbsp)) { - /* Drop packets from disabled logical ports (since logical flow - * tables are default-drop). */ - continue; - } + if (!lsp_is_enabled(op->nbsp)) { + /* Drop packets from disabled logical ports (since logical flow + * tables are default-drop). */ + return; + } - if (lsp_is_external(op->nbsp)) { - continue; - } + if (lsp_is_external(op->nbsp)) { + return; + } - ds_clear(&match); - ds_clear(&actions); - ds_put_format(&match, "inport == %s", op->json_key); - build_port_security_l2("eth.src", op->ps_addrs, op->n_ps_addrs, - &match); + ds_clear(match); + ds_clear(actions); + ds_put_format(match, "inport == %s", op->json_key); + build_port_security_l2("eth.src", op->ps_addrs, op->n_ps_addrs, + match); - const char *queue_id = smap_get(&op->sb->options, "qdisc_queue_id"); - if (queue_id) { - ds_put_format(&actions, "set_queue(%s); ", queue_id); - } - ds_put_cstr(&actions, "next;"); - ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_PORT_SEC_L2, 50, - ds_cstr(&match), ds_cstr(&actions), - &op->nbsp->header_); + const char *queue_id = smap_get(&op->sb->options, "qdisc_queue_id"); + if (queue_id) { + ds_put_format(actions, "set_queue(%s); ", queue_id); + } + ds_put_cstr(actions, "next;"); + ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_PORT_SEC_L2, 50, + ds_cstr(match), ds_cstr(actions), + &op->nbsp->header_); - if (op->nbsp->n_port_security) { - build_port_security_ip(P_IN, op, lflows, &op->nbsp->header_); - build_port_security_nd(op, lflows, &op->nbsp->header_); - } + if (op->nbsp->n_port_security) { + build_port_security_ip(P_IN, op, lflows, &op->nbsp->header_); + build_port_security_nd(op, lflows, &op->nbsp->header_); } +} - /* Ingress table 1 and 2: Port security - IP and ND, by default - * goto next. (priority 0) - */ - struct ovn_datapath *od; - HMAP_FOR_EACH (od, key_node, datapaths) { - if (!od->nbs) { - continue; - } +/* Ingress table 1 and 2: Port security - IP and ND, by default + * goto next. (priority 0) + */ +static void +build_lswitch_input_port_sec_od( + struct ovn_datapath *od, struct hmap *lflows) +{ + if (od->nbs) { ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_ND, 0, "1", "next;"); ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_IP, 0, "1", "next;"); } - - ds_destroy(&match); - ds_destroy(&actions); } static void @@ -6844,8 +6838,6 @@ build_lswitch_flows(struct hmap *datapaths, struct hmap *ports, struct ds actions = DS_EMPTY_INITIALIZER; struct ovn_datapath *od; - build_lswitch_input_port_sec(ports, datapaths, lflows); - /* Ingress table 13: ARP/ND responder, skip requests coming from localnet * and vtep ports. (priority 100); see ovn-northd.8.xml for the * rationale. */ @@ -11381,6 +11373,7 @@ build_lswitch_and_lrouter_iterate_by_od( build_fwd_group_lflows(od, lsi->lflows); build_lswitch_lflows_admission_control(od, lsi->lflows); + build_lswitch_input_port_sec_od(od, lsi->lflows); /* Build Logical Router Flows. */ build_adm_ctrl_flows_for_lrouter(od, lsi->lflows); @@ -11410,8 +11403,11 @@ build_lswitch_and_lrouter_iterate_by_op( struct ovn_port *op, struct lswitch_flow_build_info *lsi) { - /* Build Logical Router Flows. */ + /* Build Logical Switch Flows. */ + build_lswitch_input_port_sec_op(op, lsi->lflows, &lsi->actions, + &lsi->match); + /* Build Logical Router Flows. */ build_adm_ctrl_flows_for_lrouter_port(op, lsi->lflows, &lsi->match, &lsi->actions); build_neigh_learning_flows_for_lrouter_port(op, lsi->lflows, &lsi->match, -- 2.20.1 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
